A request for service is a systematic request for which a standard operating procedure should exist. This type of work is often converted to an Epic if it is long tailed, but not always.
Details
Wed, Jul 31
Mon, Jul 29
Wed, Jul 24
Do you mean the shared login domain specifically or the SUL3 project in general? (I'll file another security preview request about T363699: Determine and implement SUL 3 login handshake mechanism in a day or two, once I have PoC code. I think these are the two particularly security-sensitive parts of the project, the rest of the work is less interesting.)
Hey @Tgr - I'd like to set up an initial threat-modeling/concept-review session (or two) for this work with you and any other relevant folks, this quarter. Are there any other technical folks that you're aware of who would likely be helpful during or interested in participating in such exercises? Thanks.
Tue, Jul 16
The configuration is now live in the beta cluster - the domain is not used for anything yet, but it works.
Example of an allowed request: https://sso.wikimedia.beta.wmflabs.org/en.wikipedia.beta.wmflabs.org/wiki/Special:UserLogin
Example of a disallowed request: https://sso.wikimedia.beta.wmflabs.org/en.wikipedia.beta.wmflabs.org/wiki/Main_Page
Tue, Jul 9
Mon, Jul 8
Jul 3 2024
Jun 28 2024
Jun 27 2024
Jun 26 2024
Updated list:
Jun 24 2024
Jun 20 2024
For Debian Bullseye, the following pip packages get installed to the Dagster venv:
For Debian Bullseye, the following packages get installed to the Superset venv:
Probably not? I used the link at https://www.mediawiki.org/wiki/Security/SOP/Security_Preview and that created it like that.
Does this need to be security protected?
Jun 19 2024
Jun 17 2024
There's a script in the internal frack "packages" repository that fetches the package and reports the portion of changelog associated with the latest package. The deb package is then added to the frack internal repository using "reprepro includedeb".
The basic install of dagster and its dependencies has been puppetized. Puppet also configures a pip-audit script to check for updates in the virtualenv and emails with success (clean audit) or an alert (patches are available). There's no project configuration in puppet yet, this part will be developed with BDC.
Jun 12 2024
Jun 11 2024
More on vulnerability tracking. This isn't awesome but:
https://github.com/minio/minio/security executive summary: watch the blog :-|
Jun 10 2024
Dec 13 2023
Nov 6 2023
JS was updated to sanitize the name being injected.
Nov 3 2023
We have concerns that the following code snippet from this feature contains a XSS that might be triggered by a malicious link opened by a user:
@sbassett Did AppSec review the JS to ensure that any parameters are scrubbed before injecting on the page?